[EXT] Re: Re: Re: [xsde-users] Codesynthesis XSDE security vulnerabilities database

[Yegnaram, Shrikant]

Thank you Boris.

We will wait for the new 3.3.0 distribution.
Any tentative release date for this distribution ? It will help us plan our application releases.


Thanks,
Shrikant Yegnaram


Confidential Information
-----Original Message-----
From: Boris Kolpackov +ADw-boris+AEA-codesynthesis.com+AD4
Sent: Tuesday, December 17, 2024 2:52 AM
To: Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4
Cc: xsde-users+AEA-codesynthesis.com
Subject: +AFs-EXT+AF0 Re: Re: Re: +AFs-xsde-users+AF0 Codesynthesis XSDE security vulnerabilities database

+ADw-div align+AD0-left+AD4APA-table class+AD0-MsoNormalTable border+AD0-0 cellspacing+AD0-0 cellpadding+AD0-0 align+AD0-left+AD4APA-tr+AD4APA-td width+AD0-100+ACU style+AD0'width:100+ACUAOw-border-top:solid +ACM-E32719 3.0pt+ADs-border-left:none+ADs-border-bottom:solid +ACM-E32719 3.0pt+ADs-border-right:none+ADs-padding:0in 0in 0in 0in+ADs-background:+ACM-E1E73C+ADs'+AD4APA-p class+AD0-MsoNormal align+AD0-left style+AD0'text-align:left'+AD4APA-b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-CF4520'+AD4-Be careful with this message: +ADw-/span+AD4APA-/b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-C00000'+AD4APA-/span+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-002855'+AD4-it has been sent from an +ADw-b+AD4-external+ADw-/b+AD4 email address. +ADw-br+AD4-Do not open attachments or click links from unknown senders or unexpected email.+ADw-/span+AD4APA-/p+AD4APA-/td+AD4APA-/tr+AD4APA-/table+AD4APA-/div+AD4
Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4 writes:

+AD4 There are bunch of vulnerabilities listed on nvd website for 2.1 expat
+AD4 release. Specifically looking if CVE-2016-0718 for expat was fixed in
+AD4 Codesynthesis XSD/e 3.2.0 release?

No, XSD/e was released before that vulnerability was discovered. However, you can patch it to fix this (and all other known to this point) CVEs by applying this patch:

https://codesynthesis.com/+AH4-boris/tmp/xsde/xsde-genx-expat-patch-8.zip

Specifically, replace the files in your XSD/e 3.2.0 distribution with the files in this archive, rebuild libxsde, and rebuild your application.


+AD4 If not, what is the plan for a new XSD/e release with the fixes for
+AD4 libexpat vulnerabilities.

We plan to release 3.3.0 with these fixes in the new year.
+ACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAq
WARNING: This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mails are not encrypted and cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of this e-mail transmission. If verification is required, please request a hard copy version.

CLS is committed to protecting and safeguarding your personal data. Our privacy notice (https://www.cls-group.com/privacy) provides you with information about how we process and protect your personal data.
We aim to ensure direct marketing is reasonable, proportionate and of relevance to you. However, if you no longer want to receive direct marketing from us please email dpo+AEA-cls-services.com